Sweden Fines Google Analytics $1M

The Swedish Authority for Privacy Protection (IMY) has hit Tele2 and CDON with data privacy fines. This is because of their export of European user data via Google Analytics.

The data privacy fines given to Tele2 and CDON are €1 million and €25,500 respectively.

These are the first of their kind in the EU. This is despite several European authorities already ruling that Google Analytics violates GDPR rules for user data protection.

These decisions in Sweden follow previous privacy complaints aimed at Google Analytics in August 2020. It’s also proof of the success of nyob - an action group that focuses on commercial privacy and data protection violations across Europe.

Read more about these groundbreaking data privacy fines on the nyob website.

In addition to Tele2 and CDON, the Swedish regulator also found that Coop and Dagens Industries also violated GDPR by using Google Analytics.

And while they have also been ordered to stop using the tool, no data privacy fines were issued.

The decisions suggest that the regulator is taking a case-by-case approach to violations. This is despite the Court of Justice of the European Union (CJEU) finding EU-US data transfers to be illegal in most cases.

And while this suggests that enforcement capabilities still have some way to go, the data privacy fines do show that Europe's data protection authorities are strengthening.

Businesses should see these data privacy fines as a warning. They should take steps to ensure that their data practices comply with GDPR requirements.

Marco Blocher, a data protection lawyer at noyb, welcomed the Swedish DPA's decision:

"Finally, a DPA has imposed a significant fine for the continued use of a tool that transfers personal data to the United States in violation of the GDPR – and banned the further use of that tool. This is a pleasant change compared to other DPAs simply holding that there has been a violation but creating no incentive to comply in the future. We hope that other DPAs follow the Swedish DPAs example and put an end to unlawful data transfers."

Last year, several European DPAs - notably in Austria, France and Italy - cautioned against the use of Google Analytics. This followed findings that many of their users were non-compliant with the EU’s rules on international data transfer.

The landscape for data privacy fines continues to change. The EU and US are currently finalizing a third data transfer agreement, the EU-U.S. Data Privacy Framework. This policy is expected to be finalized later this month (July 2023).

However, legal challenges are possible. Various European institutions have expressed concerns that the new arrangement may not fully address the issues raised by the judges.

This development has real consequences for businesses using website analytics.

Companies that rely on these tools for customer insights must ensure they comply with regulations. Otherwise, they risk data privacy fines, reputational damage, and loss of income.

Ultimately, this decision by the Swedish data watchdog highlights the importance of respecting GDPR rules on data transfers to third countries.

Before anything, they should consider these laws when choosing website analytics software.

These data privacy fines are another reason to switch from Google Analytics to TWIPLA or another privacy-first option.

Our website intelligence solution is fully GDPR compliant. It also meets the requirements of the EU ePrivacy Directive and other global data privacy laws, making it a strong choice for businesses concerned about data privacy.

TWIPLA is built around a privacy center that enables businesses to adjust functionality to local data privacy laws.

Its advanced model ensures that website visitor data is both fully anonymized and highly accurate. Crucially, it collects data without tracking the exact behavior of individual users - removing the risk of data privacy fines.